Rob Hyrons / Shutterstock.com
Mirai reveals mirage of IoT security – are we all doomed? It’s a new world record; web hosting firm OVH has been hit with a distributed denial of service (DDoS) attack reaching speeds of 1.5 Tbps, following an attack on the website belonging to security journalist Brian Krebs. This latest attack smashes the previous record of a 650 Gbps attack just a few weeks ago, which was also inflicted on Krebs’ website.
This overwhelming surge of traffic was achieved using an army of 145,607 botnets comprised of compromised cameras and DVRs, with each IP address firing requests at 1Mbps to 30Mbps. This throws up some serious concerns for the advancement of the IoT and the adoption of smart home technologies in particular; if a home consists of one hundred or more connected devices, for example, then a few years down the line we could be seeing headlines of DDoS attacks reaching devastating new heights – perhaps even as high as 10 Tbps.
Probably the most worrying factor is that these mammoth DDoS attacks have been unbelievably simple, which cannot be summarized more completely than by a recent tweet from security blogger Hacker Fantastic, which stated, “If all it took to create the biggest recorded DDoS attack in history was a telnet scanner and 36 weak credentials the net has a huge IoT problem.” The relatively unsophisticated source code is called Mirai, and has since been posted online.
Whereas PC owners can regularly perform scans on their systems to detect and eradicate botnets, owners of a smart home ecosystem rarely directly interact with individual devices, plus these devices don’t require replacements as regularly as laptops and mobile devices. Therefore, this requires a system which allows the user to scan their devices from a central controller – primarily a smartphone or central hub.
Users need to be able to update firmware for the entire home in order to reduce the vulnerability of systems such as security cameras, by checking for network vulnerabilities and regularly changing all default passwords. But the perfect synergy of the smart home is made difficult by the plethora of different device manufacturers that make up this environment, and the only defense mechanism at present is to have a separate firewall box sitting between the home and the outside world.
However, consumers are reluctant to pay for yet more hardware as well as the monthly subscription fees for the protective service that accompanies it – highlighting that consumer apathy is as much of an inhibitor to the progression of the IoT as that which seems to plague the security priorities of IoT companies themselves.
RIoT racked its brains for companies that are developing firewalls aimed at the smart home market, and then recalled a product launch from F-Secure at the Mobile World Congress tradeshow earlier this year, where F-Secure unveiled its Sense smart home security firewall. Coming from the company’s experience in providing antivirus protection, mostly for the Windows platform, F-Secure is targeting Sense at protect users from the increasing attack footprint that will arise from living in increasingly connected homes.
On top of the $110 hub, Sense comes with a monthly subscription of around $10, and a smartphone app which blocks tracking attempts and malicious traffic from the device, as well as alerting users of out-of-date firmware on their home devices. But, as previously mentioned, having an additional system such as Sense within the smart home doesn’t come high up on the list of priorities for most smart home owners (yet?).
There is also a similar home gateway with firewall software from Taiwanese networking OEM ZyXEL, called the USG40HE. This sits between the modem and the WiFi router and runs a collection of programs that are intended to automatically block phishing attacks and malicious intrusions.
CDN giant Akamai was previously offering free DDoS protection for Krebs’ website, until the company retracted its support following the devastating impact of the attack on its servers. This is essentially Akamai showing its hand, revealing to the world exactly the extent of traffic its system can cope with. If the market leader in content delivery networks has backed off (although admittedly, without a paycheck), then the industry knows there it isn’t prepared for the inevitable onslaught of attacks in the near future. Google then came to the rescue to provide Krebs with its Project Shield DDoS protection service.
Krebs’ website became the unfortunate victim following an article on a DDoS for hire service called vDoS, which consequently lead to two arrests in Israel, but the connection to this latest occurrence has yet to be confirmed.
Written by Thomas Flanagan and first published at ReThink-IoT.
Recent Comments